Germany’s BaFin tightens bank oversight as AI cyber risks surge

Germany’s top financial watchdog is moving from warning about AI to actively probing it. BaFin said it was creating a new division to carry out targeted IT spotlight inspections of banks and other financial firms, a faster review model designed to catch emerging cyber weaknesses before they become systemwide problems.

The shift reflects how quickly artificial intelligence is changing the risk profile of finance. Mark Branson, BaFin’s president, said the newest AI tools can spot vulnerabilities in both new and legacy IT systems with remarkable speed and can exploit those weaknesses even faster. In practice, that puts pressure on banks to prove that their models, defenses and vendor controls can keep pace with tools that adapt far more quickly than traditional compliance cycles.

BaFin’s new inspections are meant to be lighter than full-scale examinations, but not softer. The regulator said the point is to react more effectively to incidents and to current developments as the technology changes. That means supervisors are likely to focus on model risk, cyber exposure, third-party vendors and compliance blind spots, especially where banks are deploying AI on top of older infrastructure that was never built for modern attack techniques.

The move comes after a year of stepped-up digital oversight. BaFin said most supervised financial entities had to begin applying the European Union’s Digital Operational Resilience Act from January 17, 2025, with implementation notes developed alongside the industry, the Deutsche Bundesbank and BaFin through six working groups and more than 30 sessions. On January 30, 2026, BaFin followed with guidance on ICT risks in the use of AI, saying security and resilience must be ensured across the full AI lifecycle, from data acquisition and model development through operation and retirement.

The watchdog has also been sounding broader stability alarms. In its January 28, 2026 risks report, BaFin identified six top risks for financial institutions and three structural trends reshaping the sector, including digitalisation, while warning that enthusiasm around AI growth forecasts and valuations could prove excessive. It also said banks and insurers were mostly profitable and well capitalised, even as Germany’s weak economy and rising company insolvencies threatened to lift non-performing loans.

Branson has tied that prudential stance to consumer protection as well as stability, arguing at BaFin’s annual press conference that the two go hand in hand. The message is clear: AI is no longer just a competitiveness story. In Frankfurt, Bonn and Berlin, it is becoming a supervision story, and BaFin now wants to inspect it faster than cyber attackers can exploit it.